frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

validate token value from csrf token header

Browse Source 
if supplied and not overridden by post request param
This commit is contained in:
glaszig
2019-07-30 17:28:03 +02:00
parent ce3ec131a6
commit 0967a53152
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
includes/functions.php
View File

@@ -83,7 +83,19 @@ function CSRFMetaTag()
*/ */
function CSRFValidate() function CSRFValidate()
{ {
if (hash_equals($_POST['csrf_token'], $_SESSION['csrf_token'])) { $post_token = $_POST['csrf_token'];
$header_token = $_SERVER['HTTP_X_CSRF_TOKEN'];
if (empty($post_token) && empty($header_token)) {
return false;
}
$request_token = $post_token;
if (empty($post_token)) {
$request_token = $header_token;
}
if (hash_equals($_SESSION['csrf_token'], $request_token)) {
return true; return true;
} else { } else {
error_log('CSRF violation'); error_log('CSRF violation');